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Abstract  _ 

We  introduce  a  new,  efficient  method  for  constructing  compact  symbolic  representations 
of  very  large  stochastic  labelled  transition  systems.  Contrary  to  known  symbolic  state 
space  generation  techniques,  our  technique  is  applicable  to  general  high-level  models  which 
do  not  have  to  possess  any  particular  structure.  The  method  is  based  on  zero-suppressed 
binary  decision  diagrams  which  we  extended  to  the  multi-terminal  case.  The  symbolic 
representation  is  obtained  by  evaluating  the  semantics  of  the  high-level  model.  During 
this  step  of  explicit  state  graph  exploration  one  constructs  a  seperate  symbolic  representa¬ 
tion  of  all  transition  induced  by  the  same  activity  in  an  on-the-fly  fashion.  The  obtained 
“activity-local”  structures  are  finally  composed  in  order  to  obtain  a  compact  symbolic 
representation  of  the  state  graph  of  the  overall  system.  For  the  then  required  step  of 
symbolic  reachability  analysis  we  propose  a  new,  sequential  and  activity-oriented  scheme 
which  leads  to  better  run-times  than  conventional  symbolic  reachability  computation. 
Comparing  our  new  method  to  previously  published  schemes,  the  paper  demonstrates 
the  following  advantages:  (a)  The  approach  is  applicable  to  a  general  class  of  high-level 
stochastic  models,  (b)  In  partial-order  style  we  avoid  the  explicit  generation  of  shuf¬ 
fled  sequences  of  independent  activities,  which  results  in  much  higher  generation  speed. 
(c)The  composition  scheme,  as  well  as  the  new  data  structure,  results  in  extremely  com¬ 
pact  symbolic  representations.  Furthermore,  the  comopsition  scheme  does  not  require  any 
product-form  of  the  models  sub-units  to  be  composed,  as  in  case  of  the  Kronecker-based 
approaches,  (d)  The  proposed  variant  of  symbolic  reachability  analysis  significantly  re¬ 
duces  run-time,  where  other  symbolic  SG  representation  methods,  e.g.  like  the  ones 
implemented  in  the  tools  CASPA  and  PRSIM,  may  benefit  from. 
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Kurzfassung  _ 

In  dem  vorliegenden  Bericht  wird  eine  neue  Methode  zur  Erstellung  symbolischer  Darstel- 
lungen  von  grofien  stochastischen  beschrifteten  Transitionssystemen  vorgestellt.  Im  Gegen- 
satz  zu  den  bekannten  Techniken  kann  der  hier  diskutierte  Ansatz  auf  allgemeine  stoch- 
astische  Modellbeschreibungen  angewandt  werden,  ohne  dah  diese  von  besonderer,  d.h. 
kompositioneller  Struktur  sein  miissen.  Zur  symbolischen  Zustandsraumdarstellung  wer¬ 
den  “zero-suppressed”  Binaere  Entscheidungsdiagramme  verwendet,  welche  wir  um  mehrere 
Terminalknoten  erweitern.  Die  symbolische  Zustandsraumdarstellung  wird  gewonnen, 
indem  das  zu  untersuchende  Modell  entsprechend  der  zugrundeliegenden  Semantik  der 
Modellbeschreibungsmethode  interpretiert  bzw.  ausgefiihrt  wird.  Wahrend  dieser  ex- 
pliziten  Zustandsraumexploration  wird  fur  jede  einzelne  im  Modell  spezifizierte  Aktiv- 
itat  ein  eigenes  symbolisch  reprasentiertes  Transitionssystem  “on-the-fly”  erzeugt.  Die  so 
gewonnenen  Aktivitats-lokalen  Strukturen  werden  dann  via  Komposition  zusammenge- 
fafit,  so  daft  man  eine  kompakte  symbolische  Zustandsraumdarstellung  des  potentiellen 
Gesamttransitionssystems  erhalt.  Fur  die  dann  durchzufiihrende  symbolische  Erreich- 
barkeitsanalyse  wird  hier  ein  neues,  sequentielles  und  aktivitats-orientiertes  Verfahren 
vorgeschlagen,  das  mit  geringeren  Laufzeiten  als  der  bisherige  Standardalgorithmus  auf- 
wartet.  Vergleicht  man  die  hier  prasentierte  Methode  mit  den  bisher  publizierten  An- 
satzen,  dann  wird  folgendes  in  dem  vorliegendem  Bericht  demonstriert:  (a)  Der  Ansatz 
lafit  sich  fur  eine  allgemeine  Klasse  von  stochastischen  Modellbeschreibungen  verwenden, 
(b)  Der  “partial-order-reduction”  ahnliche  Explorierungsansatz  vermeidet  die  explizite 
Generierung  von  verschrankten  Sequenzen  unabhangiger  Aktivitaten,  was  zu  einem  erhe- 
blichen  Geschwindigkeitsvorteil  fiihrt.  (c)  Das  Kompositionsschema,  gemeinsam  mit  der 
neuen  Datenstruktur,  fiihrt  zu  extrem  kompakten  symbolischen  Zustandsraumdarstellun- 
gen.  Dariiberhinaus  verlangt  das  Kompositionsschema  keine  Produkteigenschaft  der  zu 
komponierenden  Modellbestandteile,  wie  es  bei  den  bekannten  Kronecker-basierten  Ver¬ 
fahren  der  Fall  ist.  (d)  Der  neue  Algorithmus  zur  symbolischen  Erreichbarkeitsanalyse 
reduziert  die  Laufzeit,  auch  anderer  symbolischen  Zustandsraumreprasentationsverfahren, 
wie  sie  bspw.  in  den  Werkzeugen  CASPA  und  PRISM  realisiert  sind. 
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1  Introduction 


Considering  the  wide  proliferation  of  distributed  hardware  and  software  systems,  it  be¬ 
comes  increasingly  important  to  ensure  that  such  systems  work  correctly  and  that  they 
meet  high  performance  and  dependability  requirements.  Stochastic  models,  e.g.  stochastic 
Petri  nets  or  stochastic  process  algebra  specifications,  have  shown  to  be  powerful  tools  for 
describing  and  analyzing  such  concurrent  systems.  We  consider  high-level  specifications 
of  distributed  systems,  from  which  a  low-level  representation  is  derived,  such  as  stochastic 
labelled  transition  systems  (SLTS)  or  (labelled)  Markov  chains.  This  state  graph  (SG) 
provides  the  basis  for  analysis,  be  it  numerical  analysis,  model  checking  or  combinations 
thereof. 

Unfortunately,  the  interleaving  semantics  can  easily  lead  to  a  growth  of  the  SG  which  is 
exponential  in  the  number  of  independent  activities,  a  phenomenon  commonly  known  as 
the  “state  space  explosion”  problem.  In  this  paper,  we  present  a  new  symbolic  method 
for  constructing  and  representing  the  SG  for  a  general  class  of  models  which  do  not  have 
to  possess  any  particular  structure.  The  symbolic  representation  is  obtained  by  evalu¬ 
ating  the  semantics  of  the  high-level  model  and  constructing  a  separate  symbolic  set  of 
transitions  for  each  model  activity  in  an  on-the-fly  fashion,  where  zero-suppressed  multi¬ 
terminal  binary  decision  diagrams  (ZDDs)  are  used  as  the  basic  data  structure.  The 
“activity-local”  structures  are  composed  in  order  to  obtain  a  compact  symbolic  represen¬ 
tation  of  the  SG  of  the  overall  system.  Our  algorithm  is  a  round-based  scheme,  where 
exploration,  encoding,  composition  and  symbolic  reachability  analysis  are  performed  until 
a  fixed  point  is  reached.  Results  obtained  from  an  implementation  of  our  method  in  the 
context  of  the  Mobius  modelling  framework  [DCC+02]  show  that  our  method  is  both  run¬ 
time  efficient  and  memory  efficient  and  therefore  enables  the  analysis  of  systems  whose 
size  would  otherwise  render  them  intractable. 


1.1  Related  work 

In  the  context  of  stochastic  modeling,  the  most  prominent  decision  diagrams  (DDs) 
are  multi-terminal  or  algebraic  BDDs  (ADDs)  [FMY97],  multi-valued  decision  diagrams 
(MDDs)  [KVBSV98]  and  matrix  diagrams  [MinOl].  In  the  following  a  review  and  classi¬ 
fication  of  symbolic  SG  generation  schemes  as  published  in  the  literature  will  be  given. 

Published  symbolic  approaches  range  from  the  individual  generation  of  each  succes¬ 
sor  state  and  its  symbolic  encoding  [DKK02]  to  compositional  generation  procedures, 
where  operators  for  symbolic  submodel  composition  are  provided  [HMKS99,  CM99,  Sie02, 
AKN+00].  At  the  top  level,  we  distinguish  between  monolithic  and  compositional  ap¬ 
proaches,  where  the  latter  are  based  on  SG  exploration  of  the  overall  models  subunits  as 
well  as  on  operators  for  the  symbolic  composition  of  these  local  SGs.  or  even  avoid  the 
representation  of  the  overall  transition  system  by  employing  Kronecker-matrix-operations 
[CM99].  In  contrast  monolithic  approaches  do  not  take  advantage  of  any  structure  as 
possibly  inherited  by  the  high-level  model,  the  SG  is  generated  in  one  step  by  exploring 
all  enabled  activities  in  each  state,  which  may  lead  to  tremendous  run-time  overhead  or 
peak  memory  sizes.  We  further  distinguish  between  fully  symbolic  approaches  and  hybrid 
approaches,  where  hybrid  characterizes  a  combination  of  explicit  exploration  and  sym- 
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bolic  encoding.  Fully  symbolic  methods  require  a  symbolic  realization  of  the  next-state 
function,  which  is  directly  derived  from  the  high-level  model  description.  Thus  the  latter 
methods  are  highly  efficient,  since  they  avoid  any  explicit  SG  exploration,  but  they  are 
limited  to  the  case  of  the  respective  model  description  method,  e.g.  like  R-TIPP  [KS02]  (a 
stochastic  Process  Algebra  as  employed  in  the  tool  CASPA  [KSW04],  simple  k-bounded 
Petri  nets,  or  the  input  language  of  [Par02,  Pri]. 

1.  Monolithic  approaches 

These  methods  do  in  principle  not  consider  any  particular  structure  of  the  high  level 
model,  but  either  suffer  from  long  run-times  or1  depend  on  the  model  dfescription 
method. 

(a)  Hybrid:  In  [DKK02]  the  reachability  set  of  a  stochastic  Petri  net  is  generated  by 
successively  firing  the  enabled  transitions,  one  at  a  time.  Each  detected  state 
vector  is  encoded  as  a  binary  decision  diagram  (BDD)  and  inserted  via  dis¬ 
junction  into  the  decision  diagram  (DD)  representing  the  set  of  states  reached 
so  far.  Due  to  its  sequential  nature  this  approach  suffers  from  long  run-times. 
Besides  this  the  memory  savings  achieved  are  due  to  the  use  of  P-invariants, 
whose  computation  require  that  the  S-PN  is  of  a  certain  kind. 

(b)  Fully  symbolic :  The  method  presented  in  [PRCB94]  gives  a  symbolic  transition 
function  for  each  activity1  as  defined  in  a  non-stochastic,  1-bounded  PN.  It 
generates  the  set  of  all  reachable  markings  by  introducing  the  standard  breadth- 
first  search  (bfs.)  algorithm  for  symbolic  reachability  analysis.  Even  though 
this  approach  is  highly  efficient,  its  applicability  is  limited  to  the  case  of  PNs, 
where  this  approach  was  latter  extended  to  the  case  of  k-bounded  weighted  PNs 
with  inhibitor  arcs  [PRC97]. 

2.  Compositional  approaches 

Compositionality  is  known  to  be  crucial  for  the  success  of  symbolic  methods,  since  it 
reduces  run-time  and  space  complexitiy.  Runtime  is  reduced,  since  only  sequences 
of  activities  at  the  level  of  sub-units,  sub-models  resp.  are  extracted  explicitly, 
so  that  the  explicit  generation  of  all  shuffeled  execution  sequences  of  independent 
activities  is  avoided.  The  reduction  of  space  complexity  is  gained  from  regularity  of 
the  symbolic  structures  as  induced  by  the  composition  schemes  [EFT93,  HMKS99, 
HKN+03].  Consequently  compositional  approaches,  i.e.  all  of  the  approaches  listed 
below,  require  therfore  an  adequat  compositional  structure  of  the  high-level  model, 
where  furthermore  the  SGs  of  the  submodels  in  isolation  need  to  be  finite.  However 
the  partitioning  of  fiat  models  into  independent  subunits  with  local  SGs  of  adequate 
sizes  is  still  an  open  question. 

(a)  Hybrid:  If  the  high-level  model  is  partitioned  into  submodels,  it  may  be  possible 
to  generate  the  SG  of  each  individual  submodel  in  a  conventional,  explicit 
manner.  The  submodel  SGs  are  then  encoded  as  DDs  and  afterwards  composed 
by  a  symbolic  composition  scheme,  where  the  composition  may  take  either  of 
the  two  following  forms: 

1In  contrast  to  standard  PN  notations,  the  term  activity  is  emphasized  here,  so  that  transitions  will  in 
the  following  always  address  the  low-level  counterparts  of  activities  when  SG  generation  has  taken  place. 
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i.  Synchronization  over  a  set  of  activities,  either  by  employing  a  Kronecker 
structure  to  compute  the  elements  of  the  overall  generator  matrix  [CM99], 
or  by  applying  a  symbolic  version  of  the  synchronization  operator  to  gener¬ 
ate  a  symbolic  representation  of  the  overall  transition  matrix  [Sie98,  Sie02]. 
ii.  Composition  via’  state  variable  sharing,  and  application  of  a  symbolic 
“Join”-operator  [LS02], 

(b)  Fully  symbolic:  In  this  case,  the  modular  high-level  specification  is  translated 
directly  to  a  DD-based  representation,  where  submodel  encodings  are  com¬ 
posed  by  symbolic  synchronization  operators  [AKN+00,  Par02,  KS02]. 


Many  of  the  approaches  listed  above  are  limited  to  cases  where  an  upper  bound  for  the 
value  of  each  state  variable  (SV)  is  known  a  priori.  This  restricts  their  applicability 
to  cases  where  the  bounds  are  specified  in  the  model  [KS02,  Par02],  where  the  local 
SG  can  be  generated  in  isolation  [CM99,  Sie98,  Sie02,  LS02],  or  where  bounds  can  be 
computed,  e.g.  by  means  of  invariant  analysis  [PRCB94,  DKK02].  In  order  to  overcome 
this  restriction,  recently  developed  methods  generate  the  local  SGs  in  an  interleaved 
fashion  [CMS03,  DKS03],  but  the  application  of  these  methods  is  problematic  in  case  of 
flat  models  where  a  partitioning  into  adequate  submodels  is  not  obvious.  As  a  further 
problem,  concurrency  taking  place  within  one  of  the  submodels  is  not  detected,  i.e.  shuffled 
sequences  of  independent  activities  are  fully  expanded  at  the  submodel  level.  These 
considerations  result  in  two  focal  aims  for  our  new  scheme: 

1.  The  individual  treatment  of  states  (both  their  exploration  and  encoding)  should  be 
avoided  as  much  as  possible. 

2.  The  scheme  should  be  applicable  to  both,  structured  and  flat  models. 

Our  activity-local  scheme,  whose  basic  idea  we  had  described  briefly  in  [LS03]  (but  for  a 
limited  class  of  models  and  using  standard  symbolic  reachability  analysis),  achieves  these 
goals  by  maintaining  compositionality  at  the  lowest  level,  i.e.  at  the  level  of  individual 
activities.  Due  to  the  nature  of  Bryant’s  [Bry86]  Apply-algorithm,  the  activity-local 
structures  do  not  need  to  fulfill  any  product-form  requirement  as  is  the  case  for  Kronecker- 
based  schemes.  Thus  the  activity-local  approach  does  not  require  any  particular  structure 
of  the  high-level  model. 

In  order  to  extend  the  saturation  technique  of  [CMS03]  to  a  general  class  of  models, 
[Min04]  describes  a  kind  of  Apply-algorithm  for  building  the  cross-product  of  two  matrix 
diagrams.  This  algorithm  allows  [Min04]  to  employ  the  same  composition  scheme  in  the 
context  of  matrix  diagrams,  as  introduced  for  BDD-based  schemes  in  [LS02]  and  extended 
in  [LS03].  These  ideas,  which  allow  one  to  apply  symbolic  SG  generation  techniques  to 
models,  where  the  Kronecker-product-form  requirement  does  not  hold,  are  still  at  the 
core  of  the  activity-local  scheme  described  here,  but  the  present  paper  has  more  to  offer, 
namely  a  new  data  structure  and  a  new  scheme  for  symbolic  reachability  analysis, where 
the  latter  follows  an  activity- wise  startegy.  Thus  similiar  to  the  approach  of  [BCL91],  one 
executes  partitions  of  the  overall  transition  system  sequentially,  rather  than  executing 
them  all  at  once.  Furthermore  it  enables  one  to  employ  greedy  chaining  on  the  set  of 
states  to  be  explored  in  the  next  step.  As  we  recently  noticed  a  similiar  startegy,  however 
in  case  of  k-bounded  non-stochastic  Petri  nets  is  also  proposed  in  [PRC97]. 
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1.2  Organization  of  the  paper 


Sec.  2  introduces  the  model  world  and  discusses  the  encoding  of  labelled  Markov  chains 
by  ZDDs.  Sec.  3  explains  our  new  algorithms  and  discusses  their  features.  Empirical 
results  are  presented  in  Sec.  4,  and  Sec.  5  concludes  the  paper. 


2  Background 

2.1  Static  properties  of  high-level  model  descriptions 

A  model  M  consists  of  a  finite  ordered  set  of  discrete  state  variables  (SVs)  s*  G  S,  where 
each  can  take  values  from  a  finite  subset  of  the  naturals.  As  a  consequence,  each  state  of 
the  model  is  given  as  a  vector  s  G  S  C  Concerning  the  high-level  model  description 
by  means  of  Petri  nets  or  process  algebras,  the  current  value  of  a  SV  may  describe  the 
number  of  tokens  in  a  place,  the  current  state  of  a  process  or  the  value  of  a  process 
parameter.  A  model  has  a  finite  set  of  activities,  denoted  Act.  SVs  and  activities  are 
connected  through  a  connection  relation  Con  C  (5x  Act)  U  (Act  x  S ).  Thus  the  execution 
of  an  activity  l  G  Act  depends  on  a  certain  set  of  SVs  (the  enabling  set),  and  when  it  is 
executed  it  changes  the  values  of  a  certain  other  set  of  SVs  (the  set  of  affected  SVs).  In  the 
style  of  Petri  nets  we  denote  the  set  of  enabling  SVs  as  pre-set  c >1  :=  {s*  G  S\(si,  l )  G  Con}, 
and  the  set  of  affected  SVs  as  post- set  l<  :=  {s*  G  S\(l,  s*)  G  Con}.  The  union  of  these  sets 
will  be  denoted  as  the  set  of  dependent  SVs  of  activity  l,  t >l<  :=  >1  U  l< .  For  each  activity 
l  G  Act,  we  define  a  projection  function  XDl :  I  which  yields  the  sub-vector 

consisting  of  the  dependent  SVs  only.  We  use  the  shorthand  notation  sp,  :=  XD‘(s), 
where  sd,  is  called  the  activity-local  marking  of  state  s  with  respect  to  activity  l. 

We  have  a  reflexive  and  symmetric  dependency  relation  Act v  C  Act  x  Act.  Two  activities 
l,k  E  Act  are  called  dependent  if  they  share  at  least  one  SV,  i.e.  ( k ,  l )  G  Actv 
>k<  n  t >l<  7^  0.  Now  the  set  of  dependent  activities  for  each  activity  l  can  be  defined  as 
ADl  :=  {k  G  Act  |  (l,  k )  G  Actv}.  Note  that  according  to  this  definition  we  have  l  G  ADl. 
Each  time  activity  l  is  executed,  the  activity-local  markings  for  the  activities  G  ADi  may 
have  changed  as  well,  so  that  new  transitions  might  be  obtainable  by  executing  these 
activities.  We  will  make  use  of  this  set  in  our  scheme. 


2.2  Dynamic  properties  of  high-level  models 

When  an  activity  takes  place,  the  model  evolves  from  one  state  to  another.  The  transition 
function  5  :  S  x  Act  — >  S  depends  on  the  model  description  method.  Concerning 
the  target  state  of  a  transition,  we  use  the  superscript  of  a  state  descriptor  or  SV  to 
indicate  the  sequence  of  activities  leading  to  that  state,  thus  we  write  sl  :=  5(s,l).  If 
activity  l  is  enabled  in  state  s  we  write  s[>l.  We  also  define  the  partial  rate  function 
r] :  S  x  Act  x  S  — »  R>0,  which  yields  the  rate  at  which  the  model  moves  from  source  to 
target  state  when  a  specific  activity  l  occurs.  The  rate  77 (s,  l,  s')  is  undefined  if  S(s,  l)  ^  s'. 
During  SG  exploration,  5  and  rj  define  the  successor-state  relation  as  a  set  of  quadruples 
T  C  (S  x  Act  x  R>0  x  S ),  which  is  the  set  of  transitions  of  a  stochastic  labelled  transition 
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system. 

For  each  l  G  Act  we  partition  T  into  sets  of  transitions  with  label  l,  where  each  state 
vector  is  reduced  to  the  activity  dependent  markings: 

T‘ :={(&„<,  A, 4,)  I  Si,  =  A*)  A  4,  =  XD'(?' ) 

A  (s,  l,  A,  sl)  eT}  U 

Note  that,  due  to  the  abstraction  from  the  independent  SVs,  an  element  of  Tl  might 
correspond  to  more  than  one  element  of  T.  Concerning  two  activities  l  and  ft,  we  define 
the  following  partitioning  of  the  set  of  SVs: 


nM  - 

uk,l  •' 


>i<  n  >ft< 
t>i<  n  >ft< 


D1,k  •= 

uk,l  ■ 


n  >k< 
n  >k< 


The  pairwise  intersection  of  the  above  sets  is  empty  and  their  union  is  the  set  of  all  SVs 
S.  After  a  suitable  reordering  of  the  state  descriptor  we  can  write  s  =  (s^,  slifc,  s2,  S3). 
We  can  then  distinguish  the  following  cases  concerning  the  execution  sequences  p  =  Ik 
and  u  =  kl: 


s — >slk:  s — ►  (sli,sltk,s2l,s3) 
s  — »  s  :  s  — *  (sv,  s^fc,  s2fc,  s3) 
In  case  (I,  ft)  ^  .Aci25  we  have  ;  =  0  and  thus 

if  s[t>ft  then  s;[>ft 
if  s[>/  then  sk[>l 


(s[,iAkltk,sikJz) 
(«M  Ji,kAilAs) 


(Prop.  Ia) 
(Prop.  Ib) 
(Prop.  II) 


Thus,  the  order  of  the  independent  activities  ft  and  l  is  without  significance  (diamond 
property,  Prop.  II).  It  is  obvious  that  one  may  execute  these  activities  independently  on 
a  given  source  state  s  =  (s^,  s1(*,  s2,  S3),  where  the  target  state  of  the  sequential  execution 
of  either  kl  or  Ik  can  be  obtained  by  combining  the  dependent  sub-vectors  s'/  ,  and  skk. 
It  is  clear  that  the  above  properties  also  hold  for  sequences  of  more  than  two  activities 
which  are  pairwise  independent.  This  yields  a  well-known  equivalence  relation  on  the 
set  of  sequences  of  transitions,  where  two  sequences  u  and  p  are  considered  equivalent 
if  and  only  if  they  can  be  obtained  from  each  other  by  swapping  adjacent  independent 
transitions.  Each  equivalence  class  is  commonly  denoted  as  a  trace  [God95]. 


2.3  Symbolic  encodings  of  state  graphs 

Binary  decision  diagrams  (BDDs)  are  a  popular  data  structure  for  symbolic  SG  represen¬ 
tation.  In  the  context  of  stochastic  modelling,  the  most  prominent  decision-diagram  based 
data  structures  are  multi-terminal  or  algebraic  BDDs  (ADDs)  [FMY97],  multi-valued  de¬ 
cision  diagrams  (MDDs)  [KVBSV98]  and  matrix  diagrams  [MinOl]. 


2.3.1  Binary  Encodings  of  Transitions 


The  value  of  a  SV  s*  can  be  encoded  in  binary  form.  For  this  purpose  we  define  an 
injective  encoding  function  £)  :  {0, . . . ,  K{}  — >  ®ni,  where  Ki  is  the  maximum  value  of  Si 
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and  rii  >  |~log2(AA  +  1)].  We  define  n  Y^^hni  which  is  the  number  of  bits  required 
for  encoding  the  full  state  vector  s.  For  convenience,  we  define  an  encoding  function  for 
the  full  state  vector  £s  :  — »  Bn,  which  is  simply  the  combination  of  the  individual 

ones.  In  a  similar  fashion  one  can  encode  the  index  of  each  activity  label  by  an  encoding 
function  S^ct  using  n^ct  bits.  This  gives  us  the  following  binary  encoding  scheme: 

(s  4  s')  (^cf(Z),5i(s1),..,^n(sn),^i(s'1),..,5n(s^)) 

The  rate  A  is  not  encoded  in  binary  form,  it  will  be  stored  in  a  terminal  node  of  the  ADD. 


2.3.2  Zero-suppressed  multi-terminal  binary  DDs  (ZDDs) 

In  a  reduced  ordered  BDD,  isomorphic  subgraphs  have  been  merged  and  don’t  care  nodes2 
are  skipped.  Zero-suppressed  BDDs  (Z-BDDs)  [Min93]  are  derivatives  of  BDDs  for  rep¬ 
resenting  sparse  sets  efficiently.  In  Z-BDDs,  instead  of  eliminating  don’t-care  nodes,  one 
eliminates  those  non-terminal  nodes  whose  1-successor  is  the  terminal  0-node.  We  extend 
Z-BDDs  to  the  multi-terminal  case,  i.e.  a  ZDD  is  like  a  multi-terminal  BDD,  but  instead 
of  eliminating  don’t  care  nodes  we  eliminate  those  nodes  whose  1-successor  is  the  termi¬ 
nal  0-node.  Standard  arithmetic  operators  can  be  performed  efficiently  on  the  ZDD  data 
structure  with  the  help  of  a  variant  of  Bryant’s  [Bry86]  Apply-algorithm3. 


2.3.3  ZDD-based  representation  of  SGs 

A  transition  of  a  labelled  transition  system  can  be  encoded  by  a  Boolean  vector.  Each 
bit  position  of  the  vector  corresponds  to  a  Boolean  variable  of  the  ZDD  representing  the 
overall  SG.  The  symbolic  representation  of  a  SG  T  is  a  ZDD  Z  over  the  Boolean  variables 
a,  s’  and  t  where  the  variables  a  encode  the  activity  label,  variables  s  encode  the  source 
state,  and  variables  t  encode  the  target  state  of  a  transition.  In  the  sequel  we  assume 
that  the  ZDD  variables  are  ordered  in  the  following  way:  At  the  first  n^ct  levels  from 
the  root  are  the  variables  a*,  and  on  the  remaining  2n  levels  we  have  the  variables  s*  and 
t i  in  an  interleaved  fashion,  which  is  a  commonly  accepted  heuristics  for  obtaining  small 
BDD  sizes.  For  convenience  we  will  use  the  somewhat  sloppy  notation  s  6  Z  to  denote 
the  check  whether  the  encoding  of  a  certain  state  s  is  contained  in  the  ZDD  Z  either  as 
a  source  or  as  a  target  state. 


2.3.4  Unknown  bounds  for  SVs 

The  values  Ki  are  in  general  not  known  a  priori  to  SG  generation.  Contrary  to  ADDs, 
ZDDs  have  the  nice  feature,  that  during  SG  generation  and  encoding  one  can  allocate  a 
new  most  significant  bit  for  any  SV  s*  by  simply  declaring  a  new  Boolean  variable  for  Z, 
i.e.  without  (!)  changing  the  structure  of  the  DD.  Thus  it  is  not  necessary  to  know  the 
maximum  value  Ki  of  SV  variables  s*  in  advance,  and  the  introduction  of  new  bits  does 
not  slow  down  the  generation  process. 

2  A  don’t  care  node  is  a  node  whose  1-  and  O-successors  are  identical. 

3  Our  implementation  is  built  on  top  of  the  CUDD  package  [Som98],  but  we  extend  each  DD  by  the  set 
of  variables  on  which  it  depends.  This  allows  us  to  implement  an  Apply-algorithm  for  partially  shared 
ZDDs. 
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2.3.5  Example 


In  order  to  demonstrate  the  process  of  symbolic  encoding  and  the  advantages  of  ZDDs, 
we  will  complete  this  section  by  discussing  a  small  example.  Part  (A)  and  (B)  of  Fig.  1 
show  a  simple  SPN  and  its  underlying  SLTS4.  The  Boolean  encodings  of  the  transitions 
of  the  SLTS  are  specified  in  table  (C),  where  activity  labels  are  encoded  by  a-bits,  source 
states  by  s-bits  and  target  states  by  t-bits.5  Part  (D)  shows  the  corresponding  ADD  M, 
where  the  Boolean  variables  encoding  the  bits  of  source  and  target  states  are  ordered 
in  an  interleaved  fashion.  The  rates  of  the  transitions  are  stored  in  the  terminal  nodes. 
The  ADD  is  ordered,  i.e.  on  all  paths  from  the  root  to  a  terminal  node  we  have  the 
same  variable  ordering,  and  it  is  reduced,  i.e.  all  isomorphic  substructures  have  been 
merged.  In  the  ADD,  a  dashed  (solid)  arrow  indicates  the  value  assignment  0  (1)  to 
the  corresponding  Boolean  variable  on  the  respective  path.  The  nodes  printed  in  dotted 
lines  are  those  which  get  eliminated  when  applying  the  zero-suppressing  reduction  rule 
for  ZDDs6. 


3  Symbolic  Activity-local  State  Graph  Generation 

3.1  Main  ideas 

The  main  idea  of  our  approach  is  the  explicit  exploration  of  parts  of  the  SG,  where  a  de¬ 
tected  transition  is  encoded  symbolically  and  inserted  into  an  “activity-local”  ZDD.  The 
modular  or  hierarchical  structure  of  the  model  is  without  any  significance  for  this  scheme, 
we  only  need  to  know  the  set  of  dependent  SVs  for  each  activity.  Each  activity  l  has  its 
own  ZDD  which  depends  only  on  those  Boolean  variables  which  encode  the  dependent 
SVs  of  l.  After  the  generation  of  the  activity-local  ZDDs,  the  symbolic  representation  of 
the  overall  SG  is  obtained  by  composing  the  activity-local  ZDDs  and  carrying  out  a  sym¬ 
bolic  reachability  analysis.  Several  rounds  of  generation  and  composition  may  be  needed 
to  construct  the  overall  SG. 

Let  us  assume,  that  at  the  end  of  an  exploration  phase  we  have  \Act\  ZDDs  Z i  each 
of  which  encodes  the  corresponding  relation  Tl  as  defined  in  eq.  1.  We  define  the  sets  of 
dependent  Boolean  source  and  target  variables,  as  well  as  the  sets  of  their  independent 
counterparts: 

Dt  :=  {s *,  t *|sj  e  >l< 3}  1/  :=  {?',?>*  <E  (4) 

In  this  equation,  sl  and  t  *  denote  those  Boolean  variables  which  encode  the  value  of 
the  SV  S{  in  the  source  and  target  state  of  a  transition.  The  activity-local  ZDD  for 
activity  l  depends  only  on  the  set  D/.  Before  composition  can  take  place,  Z i  needs  to 
be  supplemented  by  the  set  of  independent  Boolean  variables  I*,  yielding  the  symbolic 
representation  of  the  set  of  potential  transitions  induced  by  activity  l.  When  activity 

4For  the  moment,  the  bold,  regular  and  dashed  arrows  of  the  SLTS  have  the  same  meaning,  we  will 
discuss  the  difference  between  them  in  Sec.  3.3. 

5 The  5  integer  state  variables  are  encoded  by  6  bits,  since  only  the  last  one  (the  marking  of  place  p$) 
can  take  a  value  other  than  0  or  1. 

6In  this  example,  the  ZDD  reduction  rule  can  be  applied  in  a  straight-forward  manner,  since  incidently 
in  M  no  node  is  skipped. 
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(A)  A  stochastic  Petri  net 


(D)  ADD  representing  the  SLTS 
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(B)  The  corresponding  SLTS 
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(C)  Binary  encodings  of  the  SLTS 
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Figure  1:  From  a  SPN  to  the  symbolic  representation  of  its  underlying  SLTS 
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I  takes  place,  the  SVs  s*  €  >l<  do  not  change  their  values,  they  stay  stable,  which  is 
expressed  by  the  pairwise  identity  over  the  Boolean  variables  contained  in  1/: 

Stab; (§>, ,?/,):=  /\  /\ (s‘-  ^t’,) 

s,el>/<  ■7-1 

During  composition,  the  activity-local  ZDDs  are  combined  in  order  to  obtain  the  transition 
relation  of  the  overall  model: 

ZT  :=  Y,  Z*  ■ Stab*  '  (5) 

leAct 

\ 

Hereby  A;  represents  the  binarily  encoded  activity  label  l.  The  ZDD  Zy  thus  constructed 
encodes  a  set  of  potential  transitions  of  the  overall  model.  Therefore,  at  this  point  it  is 
necessary  to  perform  symbolic  reachability  analysis. 

For  generating  the  sets  of  activity-local  transitions  Tl  we  follow  a  selective  breadth-first- 
search  strategy,  i.e.  for  a  detected  state  s' 1  which  was  reached  by  firing  action  l  we  generate 
the  set  of  successor  states  by  applying  the  transition  function  <5  for  each  dependent  activity 
k  £  A~il,  where 

•Agt  :=  {k  €  ADl  |  4,  <t  E*  A  s'  [>  k}  (6) 

In  eq.  6,  slDk  &  E *  states  that  activity  k  was  not  yet  tested  on  the  activity-dependent 
marking  of  state  sl.  The  Z-BDD  Ek  is  introduced  here  for  convenience.  It  encodes  those 
activity-local  markings  on  which  activity  k  was  already  tested  (successfully  or  not)7.  Con¬ 
sequently,  Efc  is  initialized  with  the  model’s  initial  state  se.  For  initializing  the  activity- 
local  SG  generation  procedure  we  define  Aft,  which  is  the  set  of  activities  enabled  in  the 
initial  state. 

3.2  SG  Generation  Scheme 

The  SG  generation  is  realized  with  the  help  of  two  complementary  procedures,  Encode- 
Transitions  and  ExploreStates  (shown  in  Fig.  2. A  and  2.B),  which  we  discuss  in  the  sequel. 
In  line  2  of  algorithm  EncodeTransitions  a  transition  is  read  from  the  Trans  Buffer,  and 
in  lines  3-7  the  set  Aft  of  activities  enabled  in  the  successor  state  is  determined.  The 
list  of  state-activity  tuples  to  be  explored  further  is  inserted  into  the  StateBuf  fer  in  line 
9,  and  finally  the  activity-local  encoding  of  the  current  transition  is  inserted  into  ZDD  Z 
The  complementary  exploration  routine  ExploreStates  for  executing  the  set  of  activities 
A?1  on  a  state  sl  works  as  shown  in  Fig.  2.B.  In  line  2,  a  state  together  with  a  list  of  ac¬ 
tivities  to  be  checked  is  read  from  the  Trans Buf  fer .  For  each  activity  from  that  list,  the 
successor  state  slk  and  the  corresponding  rate  A  are  computed  (lines  4  and  5).  The  tran¬ 
sition  thus  found  is  inserted  into  the  TransBuf fer  (line  7),  provided  it  is  not  a  self-loop 
(line  6)8.  By  executing  procedures  ExploreStates  and  EncodeTransitions  in  an  alternating 
fashion,  the  algorithm  will  reach  a  point  where  EncodeTransitions  has  been  executed  and 
the  StateBuf  fer  is  still  empty.  This  means  that  the  algorithm  has  visited  all  states 

7One  could  also  test  if  sfk  €  Zk,  either  as  source  or  target  state.  Repeated  tests  of  states  would  only 
induce  a  small  run-time  overhead. 

8Self-loops  can  safely  be  omitted  since  they  do  not  influence  transient  or  steady-state  probabilities. 
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(A)  Encoding  and  insertion  of  transitions  into  Z j 
(0)  EncodeTransitions() 

(1)  while  ( TransBuffer  ^  empty )  do  begin 

(2)  (s,  l,  A,  sl)  * —  TransBuffer 

(3)  Afl  :=  0 

(4)  for  each  k  G  AD‘  do  begin 

(5)  if  slDk  Eh  A  s' 1  [>  k  then  Aft  :=  Af{  U  {k} 

(6)  E k  :=  Efc  U  slDk 

(7)  end 

(8)  if  Af{  0  then 

(9)  StateBuf fer  < —  (sl,A?{) 

(10)  Zz:=Zz  +  £(sDpA,4i) 

(11)  end 


(B)  Exploration  of  states,  where  s  £  Z; 

(0)  ExploreStates() 

(1)  while  (StateBuf fer  ^  empty)  do  begin 

(2)  (sl,Agl)< — StateBuf  fer 

(3)  for  each  k  G  A®!  do  begin 

(4)  slk:=6(sl,k ) 

(5)  A  :=  r)(sl,  k,  slk) 

(6)  if  sl  7^  slk  then 

(7)  TransBuffer  * —  (s\ k ,  A,  slk) 

(8)  end 

Figure  2:  Algorithms  for  explicit  exploration  and  encoding 
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Symbolic  composition,  symbolic  reachability  analysis 
and  refill  of  StateBuffer 

(0)  lnitiateNewRound() 

(1)  Zr  :=  ReachabilityAnalysisQ 

(2)  for  each  k  €  Act  do  begin 

(3)  Temp  :=  ZR  \  Ek 

(4)  while  Temp  ^  0  do  begin 

(5)  s  < —  Temp 

(6)  if  s[>k  then  StateBuffer  < —  (s,  { k }) 

(7)  Temp  :=  Temp  \  {£(s)}  ;  ’ 

(8)  end 

(9)  end 

Figure  3:  Algorithm  for  re-initiating  a  new  round  of  explicit  exploration  and  encoding 

reachable  from  the  initial  state(s)  through  sequences  of  dependent  activities.  However  so 
far  we  have  not  considered  the  combined  execution  of  independent  activities  which  may 
trigger  new  model  behavior.  This  is  important,  since  the  activity-local  scheme  does  not 
generate  states  of  the  latter  type  explicitly,  they  are  obtained  by  symbolic  composition, 
i.e.  applying  eq.  5.  The  whole  functionality  of  testing  such  states  is  encapsulated  in  algo¬ 
rithm  InitiateNewRound,  where  symbolic  composition  and  reachability  analysis  is  realized 
by  procedure  ReachabilityAna lysis,  its  realization  will  be  discussed  below  (see  Sec.  3.4). 

In  lines  2  -  9  of  algorithm  InitiateNewRound  (Fig.  2)  one  determines  those  reachable  states 
on  which  a  given  activity  has  not  yet  been  tested,  since  these  need  to  be  examined  further. 
The  obtained  pairs  of  states  and  enabled  activities  are  inserted  into  the  StateBuffer 
(line  6)  in  order  to  re-initialize  the  StateBuffer  for  a  new  round  of  explicit  SG  ex¬ 
ploration  and  symbolic  encoding.  A  fixed  point  in  SG  generation  is  reached  when  the 
StateBuffer  is  still  empty  after  the  execution  of  InitiateNewRound.  After  the  final  call 
of  InitiateNewRound,  Z  :=Z ?  •  ZR  gives  one  the  symbolic  representation  of  the  reachable 
SG  of  the  overall  model  as  ZDD  Z. 

The  top-level  algorithm  for  our  activity-local  SG  generation  and  encoding  strategy  is 
shown  in  Fig.  4.D.  In  lines  1-3,  the  StateBuffer,  the  TransBuf fer  and  the  Z- 
BDDs  Efc  are  initialized.  In  the  inner  loop  (lines  5-8)  procedures  ExploreStates  and 
EncodeTransitions  are  called  in  an  alternating  fashion.  The  re-initialization,  performed  by 
procedure  InitiateNewRound  is  called  in  line  9,  before  a  new  round  of  the  outer  loop  (lines 
4  -  10)  is  started.  The  final  set  of  all  reachable  transitions  is  computed  in  line  11. 

3.3  Comments  on  the  activity-local  generation  scheme 

In  this  section  we  will  reason  about  the  correctness  and  completeness  of  our  activity-local 
approach,  i.e.  we  will  discuss  the  correctness  of  the  symbolic  activity-local  composition 
scheme  and  we  will  discuss  the  “partial”  character  of  its  explicit  exploration  part. 


14 


(0)  ExploreStateGraphQ 

(1)  StateBuffer  <—  (s e,  {A%}) 

(2)  TransBuf  fer  =  0 

(3)  for  each  k  G  Act  do  begin  E*,  £{sfk)  end 

(4)  do  begin 

(5)  do  begin 

(6)  ExploreStatesQ 

(7)  EncodeTrartsitionsQ 

(8)  end  until  StateBuf fer  =  0 

(9)  lnitiateNewRound() 

(10)  end  until  StateBuffer  =  0 

(11)  Z T:=(  £  Zj  •  Stab/  •  A,)  •  Z# ' 

iGAct 

Figure  4:  Main  algorithm  of  activity-local  SG  generation 


3.3.1  Correctness  of  the  generated  transitions 

Our  algorithm  starts  from  the  initial  state.  For  a  given  state  s' 1  reached  by  activity  l,  the 
algorithm  explores  activity  k  if  and  only  if 

1.  /  and  k  share  dependent  SVs  (i.e.  the  execution  of  l  may  influence  the  enabledness 
of  k) 

2.  k  is  enabled  in  sl 

3.  k  has  not  yet  been  explored  from  any  other  state  t  whose  projection  to  the  set  of 
dependent  SVs  Dk  is  identical  to  that  of  sl  (i.e.  slDk  =  tDk). 

Instead  of  encoding  a  detected  transition  (s,  l,  A,  sl)  as  a  whole,  the  algorithm  only  encodes 
the  SVs  in  the  set  Di.  The  SVs  outside  the  set  A  may  take  arbitrary  values,  but  they 
must  remain  stable  upon  execution  of  activity  l ,  which  is  expressed  by  the  multiplication 
with  Stab;.  This  has  the  effect  that  a  single  detected  transition  is  encoded  as  a  possibly 
huge  set  of  potential  transitions.  By  performing  a  symbolic  reachability  analysis,  this  set 
of  potential  transitions  is  reduced  to  the  transitions  which  are  actually  reachable  from  the 
initial  state,  yielding  only  legal  transitions. 


3.3.2  Completeness  of  the  generation  scheme 

According  to  the  diamond  property  [God95]  (c.f.  Sec.  2.2)  for  two  independent  activities 
l  and  k  (here  (l,k)  Actv),  the  order  of  their  execution  is  without  significance.  Conse¬ 
quently  one  may  execute  these  activities  independently  on  a  given  source  state  s.  The 
target  state  of  the  combined  sequential  execution  of  either  kl  or  Ik  can  than  be  obtained 
by  combining  the  activity  dependent  markings  as  contained  in  the  intermediate  states  s‘ 1 
and  sk.  This  property  also  holds  for  sequences  of  pairwise  independent  activities,  yielding 
the  well-known  trace  equivalence  relation  on  the  set  of  sequences  of  executed  activities 
[God95].  Consequently  one  only  needs  to  generate  the  sequences  of  dependent  activities 
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explicitly.  All  other  states  can  be  obtained  by  a  composition  of  the  kind  as  mentioned 
above.  This  is  exactly  the  functionality  of  the  algorithms  presented  in  Fig.  2. 


3.3.3  Example 

We  consider  again  the  example  depicted  in  Fig.  1,  where  we  will  especially  illustrate  now 
the  reasons  why  in  the  general  case  the  activity-local  generation  scheme  may  need  more 
than  one  round  of  exploration.  One  may  for  the  moment  ignore  the  rate  information, 
since  it  is  irrelevant  for  the  following  discussion.  Starting  from  the  initial  state  (10100), 
the  activity-local  scheme  will  explore  those  transitions  explicitly  which  are  drawn  by  fat 
arrows  in  the  figure.  As  an  example,  transition  10100  01100  will  be  explored  and  then 

encoded  in  the  activity-local  ZDD  Za  of  activity  a  as  10***  — >  01***,  where  the  symbol 
*  denotes  a  don’t  care,  since  the  respective  variables  are  not  visible  within  Za  (only  p\  and 
P2  belong  to  the  set  of  dependent  SVs  of  activity  a).  The  transitions  drawn  by  regular 
arrows  are  the  ones  which  are  generated  during  the  composition  of  the  activity-local 
ZDDs,  which  can  be  seen  as  a  cross  product  construction  followed  by  reachability  analysis 
as  called  by  algorithm  InitiateNewRound.  We  will  now  explain  why  the  transitions  drawn 
as  dashed  arrows  in  the  figure  are  not  generated  during  the  first  round  of  exploration, 
i.e.  the  reason  why  more  than  one  round  of  explicit  exploration  is  required.  Consider, 
for  example,  transitions  caused  by  activity  d:  In  the  first  round  the  algorithm  explicitly 
generates  the  transition  10010  10001,  which  is  encoded  in  the  activity-local  ZDD 

of  activity  d  as  ***10  — »  ***01.  The  cross  product  construction  yields  any  transition 
-t~H 1-10  —*  H — I — (-01  (where  the  +- positions  are  arbitrary  but  stable),  but  it  does  not  yield 

d 

the  dashed  transition  00011  — »  00002.  During  procedure  InitiateNewRound,  however,  the 
algorithm  will  detect  the  fact  that  state  00011  is  reachable  and  that  activity  d  has  not 
yet  been  tested  in  states  of  the  type  ***11.  Therefore  the  tuple  (00011, d)  will  be  inserted 
into  the  StateBuf  fer  at  this  point,  and  this  dashed  transition  (as  well  as  the  other  two 
dashed  transitions)  will  be  explored  in  the  second  round. 


3.4  Symbolic  reachability  analysis 

We  now  discuss  two  variants  of  a  reachability  algorithm  as  required  by  algorithm  Initiate¬ 
NewRound  (line  1  of  algorithm  of  Fig.  4.C).  -  In  line  1  of  the  algorithm  of  Fig.  5. A 
we  first  compute  the  ZBDD  Z t,  which  represents  the  set  of  potential  transitions,  (for 
simplicity,  activity-labels  are  omitted  and  rates  are  dropped).  Furthermore  the  algorithm 
employs  another  three  ZBDDs:  The  ZBDD  Z u  for  representing  the  set  of  unexplored 
states ,  the  ZBDD  Z r  for  representing  the  set  of  reached  states  and  ZBDD  Ztmp,  which 
represents  the  set  of  states  detected  in  the  current  iteration.  The  former  two  ZBDDs  are 
initialized  with  the  binary  encoding  of  the  initial  state  s€,  where  the  function  M  constructs 
the  respective  ZBDD  (lines  2  and  3).  The  standard  breadth-first-search  (bfs)  symbolic 
reachability  analysis  is  realized  by  the  do-until  loop  of  lines  4-8.  The  conjunction  of  Zv 
(unexplored  states)  and  ZT  (potential  transitions)  delivers  all  transitions  emanating  from 
the  states  of  Z u-  The  subsequent  abstraction  of  the  source  states  as  encoded  by  variables 
s  yields  the  set  of  newly  reached  target  states  stored  as  Ztmp  (line  5).  From  the  level  of 
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(A)  Quasi-parallel  symbolic  reachability  analysis 
bfs.  traversal  as  proposed  by  [PRCB94,  Sie02] 

(0)  ReachabilityAnalysis() 

(1)  1T  :=  YlieAct  '  Stab* 

(2)  ZR:=M(t,£(s<)) 

(3)  Z  u:=M(s,£(se)) 

(4)  do  begin 

(5)  Z tmp  '•=  Abstract (Zr  A  Z u,  s,  V)  \  ZR\ 

(6)  ZR  =  ZRV  Ztrnp ; 

(7)  Zv  :=  Ztmp{s  <—  t}; 

(8)  end  until  Zu  =  0 

(9)  Z#  :=  Z^{s<—  t}; 

(B)  Sequential  activity-oriented  symbolic  reachability 
analysis  organised  as  quasi-dfs-traversal 

(0)  ReachabiIityAnalysis() 

(1)  Z :=  0; 

(2)  Zu:=M(s,£(s%  _ 

(3)  for  each  k  £  Act  do  begin  Z*,  :=  Z*,  •  Stab*.  end 

(4)  do  begin 

(5)  ZR  :=  ZR  V  Z[/ 

(6)  for  each  k  £  do  begin 

(7)  ~£-tmp  • —  Abstract  (Z/-  A  Z^/,  s,  V)  \  ^Ri 

(8)  Zu  :=  Zjy  V  Ztmp{s  <—  t}; 

(10)  end 

(11)  Zu:=Zu\ZR 

(12)  end  until  Zu  =  0 


Figure  5:  Pseudo-code  of  symbolic  reachability  analysis  variants 


the  reachability  algorithm  this  step  is  set-oriented  and  parallel,  since  Z u  may  represent 
more  than  one  state,  and  one  obtains  all  successor  states.  We  propose  now  the  following 
improvements: 

1.  replace  the  “ parallel'  scheme  of  line  5  Fig.  5. A  by  an  activity-wise  scheme  (lines  6  - 
10  Fig.  5.B). 

2.  update  the  set  of  unexplored  states  as  soon  as  possible  (line  8  Fig.  5.B). 

If  Z u  of  Fig.  5.B  were  not  updated  with  the  newly  reached  states  in  line  8,  but  outside 
the  inner  f  or-loop,  one  would  obtain  the  same  number  of  iterations  of  the  main  (outer) 
do-until  loops  for  both  algorithms.  The  activity-wise  iteration  of  Fig.  5.B  combined 
with  an  early  update  of  Z u  realizes  a  set-oriented  quasi  depth-first-search  (dfs)  scheme, 
since  all  successor  states  of  Z u  reachable  by  the  same  activity  k  are  generated  in  one 
step.  Consequently  this  procedure  leads  to  a  significant  reduction  of  the  number  of  iter- 
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ations  (#iter)  of  the  main  (outer)  do-until  loop.  In  Sec.  4  where  the  empirical  results 
of  the  two  reachability  algorithms  are  presented,  we  will  refer  to  this  reduction  by  the 
ratio  Titer-  The  order  of  execution  the  symbolic  encoded  state-to-state  transition  function 
thus  influences  the  generation  speed.  Consequently  one  may  refine  or  coarsen  the  set  of 
states  explored  in  each  for-loop,  e.g.  bookkeeping  the  sets  of  unexplored  states  for  each 
activity  individually.  Depending  on  the  employed  high-level  model,  doing  so  influences 
the  run-time  behavior  significantly.  E.g.  in  case  of  the  FTMP  model  the  most  efficient 
strategy  is  the  strategy  to  explore  all  states  reached  so  far  (do  not  remove  already  explored 
states  form  Z y),  however  in  case  of  the  FMS  model  such  a  strategy  may  almost  double 
the  run-time. 

As  we  discovert  recently  the  authors  of  [PRC97]  also  develop  the  idea  of  symbolic  Petri 
net  traversal  by  applying  transition  chaining.  By  applying  the  symbolic  encoded  activity 
transition  functions  individually  one  is  there  also  enabled  to  directly  insert  the  states 
reached  next  into  the  set  of  unexplored  states  (line  7  and  8,  algorithm  5.B),  but  there 
without  removing  the  already  reached  ones.  However  our  experiments  showed  us,  that 
this  so  called  greedy  chaining  technique,  even  though  it  reduces  the  number  of  iterations 
of  the  outer  do-until  loop  and  thus  calls  to  the  Apply—  and  Abstract-algorithms, 
plays  often  a  miner  role  only.  Consequently  it  seems  that  the  sequential  employment  of 
a  somehow  partiotioned  set  of  symbolic  transition  functions,  which  was  to  the  best  of 
our  knowledge  already  suggested  by  [BCL91],  is  the  main  source  of  runtime  reduction. 

I.e.  the  sequential  handling  of  small  DD-structures  is  more  efficient  as  handling  big  DD 
structures  once-at  a  time,  where  the  update  strategy  of  the  set  of  unexplored  states  Z jj 
plays  a  minor  role  only,  which  of  course  depend  on  the  employed  model. 


4  Empirical  Evaluation 

Within  the  Mobius  modelling  framework  [DCC+02]  the  local  exploration  of  submodel 
SGs  in  isolation  is  not  feasible,  due  to  the  nature  of  the  Join  model  composition  formal¬ 
ism.  Consequently,  such  a  framework  is  highly  suited  for  implementing  the  activity-local 
approach.  Furthermore,  this  offers  the  opportunity  to  compare  our  method  to  the  com¬ 
positional  MDD-  and  Kronecker-based  approach  of  [DKS03],  where  submodel  SGs  are 
generated  in  an  interleaved  fashion  and  symbolically  encoded  on-the-fly. 

Our  implementation  consists  of  three  main  modules: 

1.  A  module  for  the  explicit  SG  generation  (derived  from  the  standard  SG  generator 
of  Mobius)  which  constitutes  the  interface  between  our  symbolic  engine  and  Mobius 
(algorithm  of  Fig.  2.B). 

2.  The  symbolic  engine  (mainly  algorithm  (A)  and  (C)  of  Fig.  2  and  one  algorithm  of 
Fig.  5). 

3.  A  ZDD-library  (based  on  the  CUDD-package  [Som98]),  which  contains  the  algo¬ 
rithms  for  manipulating  partially  shared  ZDDs  and  implements  a  C++  wrapper  for 
them. 
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The  experiments  carried  out  with  our  implementation,  as  well  as  the  ones  executed  with 
CASPA  [KSW04]  and  PRISM  [Pri],  were  run  on  a  Pentium  IV  3  GHz  system  with  1 
GByte  of  RAM  and  a  Linux  OS.  All  run-time  results  were  averaged  from  100  runs. 

4.1  Comparison  of  the  ADD  and  ZDD  data  structures 

Table  1  illustrates  the  difference  between  the  ADD-  and  ZDD-based  encoding  schemes 
with  respect  to  their  space  and  time  complexity  for  five  different  models  taken  from  the 
literature.  The  first  column  gives  the  model  scaling  parameter,  the  second  gives  the 
total  number  of  Boolean  variables  required  for  encoding  all  SVs.  In  order  to  make  a  fair 
comparison,  we  encoded  each  SV  by  a  minimum  number  of  bits.  In  practice  such  an 
allocation  strategy  for  ADD- variables  is  not  feasible,  due  to  the  lack  of  a  priori  knowledge 
of  the  maximum  value  Ki  taken  by  SV  s*,  but  a  brute-force  strategy,  where  one  allocates 
as  many  ADD  variables  as  possible,  significantly  increases  memory  space  and  run-time.  In 
case  of  ZDDs,  pre-allocation  of  Boolean  variables  is  unnecessary,  since  skipped  variables 
are  interpreted  as  being  0-assigned.  In  order  to  give  the  reader  an  impression  of  the 
dimensions  of  the  employed  DD-structures,  Table  1  gives  the  number  of  nodes  required 
for  representing  the  set  of  reachable  states  (encoded  by  Z-BDD  Zr),  the  transition  system 
(encoded  by  ZDD  ZT),  as  well  as  the  peak  number  of  nodes  (peak)  as  allocated  during 
the  process  of  symbolic  SG  construction.  In  our  implementation,  since  we  employed 
the  CUDD-package,  each  node  consumes  16  bytes  of  memory.  We  also  collected  the 
number  of  cache  hits  and  misses  (concerning  the  DD  “computed  table”),  in  order  to  give 
an  impression  of  the  number  of  calls  to  the  recursive  Apply  and  Abstract  algorithms. 
Column  tg  contains  the  generation  time  in  seconds.  In  order  to  simplify  the  comparison, 
on  the  right-hand  side  of  the  table  we  provide  the  ratios  of  memory  consumption  for  Zr , 
Z t  and  the  peak  number  of  nodes,  where  figures  are  normed  with  respect  to  the  ZDD- 
based  version.  The  last  two  columns  in  Table  1  give  the  ratio  of  the  cache  hit  rates  (rc^r) 
and  the  ratio  of  the  construction  times  rtime,  were  in  both  case  the  ZDD- variant  was  once 
again  considered  of  being  of  unit  1. 

As  illustrated  by  the  various  case  studies,  the  use  of  ZDDs  reduces  memory  consumption. 
As  a  consequence  of  smaller  DD  sizes,  run-time  and  cache  hit  rate  both  improve.  The 
Tandem  Queuing  Network  model,  which  we  specified  as  a  SPN  consisting  of  3  places, 
constitutes  a  very  interesting  case  study.  Two  of  the  places  may  contain  the  number  of 
tokens  specified  by  the  scaling  parameter  N  (let  us  say  places  1  and  2),  and  the  remaining 
place  (place  3)  contains  either  one  or  zero  tokens.  Consequently  for  N  =  2n<  —  1  the  model 
uses  a  very  dense  Boolean  enumeration  scheme,  where  n*  is  the  number  of  bits  used  for 
encoding  place  i  G  {1,2}.  As  we  expected,  and  as  supported  by  the  experimental  data, 
in  these  cases  the  space  requirements  of  the  ADD-based  scheme  are  to  be  favored.  If  N 
is  a  power  of  two,  the  enumeration  scheme  is  much  sparser  and  a  different  picture  has  to 
be  drawn.  Surprisingly,  the  ZDD-based  scheme  maintains  its  run-time  advantage  in  both 
cases,  which  seems  to  be  a  consequence  of  the  fact  that  using  ZDDs  one  does  not  need  to 
allocate  nodes  for  0-assigned  variables.  Note  that  the  Tandem  Queuing  Network  model  is 
a  worst-case  scenario  for  the  activity-local  scheme  concerning  the  number  of  transitions 
to  be  explicitly  explored  and  binarily  encoded. 

From  a  certain  size  on,  the  FMS  model  has  smaller  run-time  using  ADDs  than  using  ZDDs, 
even  though  the  final  ADD-structures  are  much  larger  than  their  ZDD  counterparts.  We 
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“The  figures  of  the  ZDD-based  version  were  considered  as  100%,  i.e.  values  above  1  for 
r r,  rr,  r peak,  r time  and  below  1  for  rc)lT  indicate  that  the  ZDD-based  version  is  superior  to  the  ADD- 
based  version. 


Table  1:  Empirical  comparison  of  ADDs  and  ZDDs  for  various  case  studies 
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(A)  Mobius  [DCC+02] 
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(B)  CASPA  [KSW04] 
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Table  2:  Empirical  comparison  of  the  two  variants  of  symbolic  reachability  analysis 


give  these  figures  in  order  to  illustrate  another  important  effect,  the  influence  of  the 
variable  ordering  on  the  DD  sizes  and  thus  the  time  for  manipulating  them.  Under  a 
different  variable  ordering,  the  ZDD-based  representation  delivers  much  better  run-times 
(cf.  col.  10  and  14  of  Table  3.C). 


4.2  Reachability  analysis 

The  number  of  explicitly  explored  and  encoded  transitions  under  the  activity-local  scheme 
is  very  low  (see  e.g.  col.  3  and  4  of  Table  3. A).  Consequently  it  is  not  very  surprising 
that  under  the  activity-local  scheme,  similar  to  the  fully  symbolic  approaches,  most  of  the 
execution  time  is  consumed  by  symbolic  reachability  analysis.  The  portion  of  time  spent 
for  this  symbolic  reachability  analysis  differs,  of  course,  for  different  models.  For  instance, 
for  the  Kanban  and  FTMP  model  one  only  spends  about  70%  on  reachability  analysis, 
whereas  for  the  FMS  and  CP  model  symbolic  reachability  analysis  accounts  for  99%  of  the 
run  time.  As  a  consequence,  most  of  the  CPU  time  is  spent  in  routines  for  manipulating 
the  DD  structures.  Profiling  reveals  that  a  dominant  fraction  of  the  run-time,  between 
35%  and  68%,  is  spent  in  the  CUDD-functions  Uniquelnter  and  CacheLookup,  where  other 
functions  consume  less  than  10%.  Uniquelnter  delivers  either  an  existing  node  found  in  the 
unique  table,  or  a  newly  allocated  node.  The  CacheLookup  function  accesses  the  computed 
table  in  order  to  fetch  results  from  previous  recursions  of  the  Apply-  or  Abstract- 
algorithm.  Table  2  compares  standard  bfs-  with  our  new  quasi-dfs  reachability  algorithm. 
The  data  is  based  on  the  different  run-times,  the  number  of  calls  to  Uniquelnter  (c2ut)  and 
CacheLookup  (c2ct),  and  on  the  peak  memory  requirements  (peak).  In  order  to  simplify 
the  comparison,  we  only  give  ratios  by  norming  everything  to  the  figures  of  the  new 
variant.  Table  2. A  shows  the  figures  for  the  ZDD-based  implementation  as  realized  within 
Mobius.  While  the  new  variant  consumes  more  peak  memory,  it  involves  much  fewer  calls 
to  Uniquelnter  and  CacheLookup ,  which  makes  it  substantially  faster.  Table  2.B  shows 
results  obtained  from  a  realization  of  the  new  reachability  scheme  within  the  tool  CASPA, 
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which  is  based  on  ADDs.  Even  though  the  number  of  iteration  of  the  outer  do-until 
(Fig.  5)  loop  is  reduced  by  a  factor  of  about  4  (rjfer  in  Table  2.B),  the  quasi-dfs  scheme 
only  halves  the  run-time.  This  might  be  a  consequence  of  the  very  compact  encodings  of 
each  state  by  CASPA,  since  CASPA  employs  a  dense  enumeration  scheme  of  submodel 
states,  leading  to  much  “flatter”  DD-structures,  i.e.  DDs  with  fewer  Boolean  variables, 
than  other  implementations,  e.g.  PRISM  or  our  Mobius  implementation.  Thus  it  is  not 
surprising,  that  even  under  CASPA  the  new  scheme  for  symbolic  reachability  analysis 
becomes  more  advantageous  the  larger  the  generated  DDs  are,  indicated  by  the  growing 
figures  of  column  one  and  two  of  Table  2.B. 

The  algorithm  of  Fig.  5.B  leaves  room  for  variation,  e.g.  one  could  update  the  set  of 
unexplored  states  outside  the  inner  for  loop,  one  could  use  all  reached  states  for  explo¬ 
ration,  rather  than  only  the  newly  reached  ones,  etc..  Surprisingly  we  experienced  that 
the  activity- wise  refinement  is  the  main  source  of  run-time  reduction.  An  early  updating 
for  Zjy,  as  realized  by  our  scheme  of  Fig.  5.B,  often  plays  a  minor  role  only,  which  of  course 
depends  on  the  employed  high-level  model.  Therefore  we  conclude,  that  one  should  avoid 
operating  directly  on  large  DD  structures.  It  is  much  better  to  explicitly  sequentialize  the 
operations  and  operate  on  smaller  structures. 


4.3  Assessment  of  the  activity-local  scheme 

In  order  to  make  a  fair  comparison,  we  used  the  same  two  Mobius  model  specifications 
as  in  [DKS03],  namely  the  scalable  Fault-tolerant  multiprocessor  model  (FTMP)  [SM92] 
and  the  Courier  protocol  (CP)  [WL91].9  To  the  best  of  our  knowledge,  these  models  are 
currently  the  only  ones  where  run-time  data  for  the  MDD-based  approach  under  Mobius  is 
available.  The  results  of  [DKS03]  were  obtained  on  an  AMD  Athlon  2400  with  1.5  GByte 
of  RAM,  whereas  our  own  experiments  were  run  on  a  Pentium  4  with  3  GHz  and  1  GByte 
of  RAM.  Table  3.  A  shows  the  basic  figures  for  the  two  models.  For  simplicity  we  once  again 
provide  only  ratios  for  run-time10  and  memory  consumption,  where  we  normed  everything 
to  the  figures  of  the  the  activity-local  scheme.  Our  activity-local  approach  is  significantly 
faster  than  the  MDD-based  approach,  especially  in  case  of  the  FTMP  example.  This 
shows  that  our  partial-order  style  strategy  of  exploring  only  paths  of  dependent  activities 
pays  off,  especially  for  models  without  strongly  modular  structure  (cf.  col.  3  and  4  of 
Table  3. A  and  col.  3  of  Table  3.C).  Furthermore  the  memory  requirement  for  storing  the 
set  of  reachable  states  is  better  as  well  (rmem4i?),  except  in  case  of  the  FTMP  model  with 
scaling  parameter  N  =  6. 

The  size  of  DDs,  and  thus  the  effectiveness  of  the  symbolic  manipulations,  is  strongly 
influenced  by  the  ordering  of  the  Boolean  variables.  Given  that  symbolic  reachability 
analysis  is  the  dominant  factor  of  run-time,  which  is  also  the  case  for  the  BDD-based 
approaches  as  realized  in  the  tools  PRISM  and  CASPA,  and  given  that  the  variable 
ordering  might  even  depend  on  the  model  specification  itself  [KSW04],  it  is  clear  that  a 
comparison  of  different  BDD-based  tools  needs  to  be  conducted  with  great  care. 

9The  FTMP  model  as  specified  under  Mobius  is  a  worst-case  scenario  for  methods  based  on  composi¬ 
tion,  since  it  has  very  little  submodel-local  behavior.  It  therefore  nicely  illustrates  the  advantages  of  our 
approach,  which  does  not  require  any  particular  model  structure. 

10The  timing  information  in  [DKS03]  includes  time  for  state  lumping,  but  since  this  is  below  0.3%  of 
the  overall  time  we  can  safely  neglect  it. 
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(A)  Comparison  to  the  MDD-based 
scheme  of  [DKS03] 

1  N  |  #  states  |  #  trans.  |  #  transe  ||  7-mem4K  I  mmK  \ 


(B)  Run-time  data  pro¬ 
duced  by  PRISM  [Pri] 
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(C)  Comparing  the  activity-local  approach  to  PRISM  [Pri] 
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Table  3:  Comparison  of  the  activity-local  scheme  and  other  symbolic  SG  representation 
approaches 
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The  probabilistic  model  checker  PRISM  [Pri]  implements  a  fully  symbolic  compositional 
SG  generation  scheme.  We  decided  to  employ  PRISM  for  the  remaining  two  case  studies 
(Kanban  and  FMS  ),  since  -  similar  to  our  own  implementation  -  it  allows  the  user  to 
specify  the  SV  ordering  and  it  encodes  each  SV  by  a  Boolean  vector.  Table  3.B  gives  the 
basic  data  of  the  models,  as  well  as  some  statistics  obtained  from  PRISM:  iterR  refers  to 
the  number  of  iterations  needed  for  symbolic  reachability  analysis  (basically  algorithm  (A) 
in  Fig.  5,  line  4-8),  and  tg  refers  to  the  CPU  time  for  the  whole  process  of  reachable  SG 
generation.  The  number  of  nodes  required  for  encoding  the  set  of  states  and  transitions  is 
given  in  Table  3.C  (col.  4  +  5).  For  the  Kanban  model  our  implementation  encodes  the 
model  in  the  same  way  as  PRISM  does,  consequently  the  generated  ADDs  are  identical. 
But  in  case  of  the  FMS  model,  we  employed  a  slightly  different  model,  due  to  the  different 
elimination  of  immediate  transitions.  As  a  consequence  of  employing  fewer  SVs,  we  were 
able  to  encode  each  state  by  a  smaller  number  of  Boolean  variables,  (see  col.  2  of  Table  3.C 
for  details),  leading  to  smaller  DD  structures,  whose  sizes  are  given  in  col.  3  and  4  of 
Table  3.C.  In  order  to  evaluate  the  different  aspects  of  the  work  presented  here,  we  chose 
to  investigate  the  activity-local  scheme  in  three  different  settings: 

1.  In  the  first  setting  we  combined  the  activity-local  scheme  with  ADD-based  SG  rep¬ 
resentation,  where  the  standard  bfs.  symbolic  reachability  analysis  was  employed. 

2.  In  the  second  setting  we  replaced  the  standard  scheme  for  symbolic  reachability 
analysis  by  our  new  quasi-dfs  symbolic  exploration  scheme. 

3.  In  the  final  setting  we  switched  to  the  ZDD-based  SG  representation. 

The  figures  of  the  different  settings  are  shown  in  column  6  to  14  of  Table  3.C,  where  we 
normalized  all  data  to  the  figures  produced  by  PRISM. 

Form  Table  3.C  one  can  conclude,  that  the  explicit  handling  of  transitions  induces  a  non- 
neglible  run-time  overhead,  albeit  this  number  ( transe )  is  reduced  to  a  small  fraction  of 
the  overall  number  of  transitions  to  be  symbolically  represented  (cf.  #trans.  and  #transe 
in  Tables  3.A-3.C).  However  this  drawback  is  justified  by  two  aspects: 

1.  The  activity-local  approach  -  in  comparison  with  the  fully  symbolic  ones  -  is  not 
restricted  to  any  specific  model  description  method,  which  is  of  great  importance 
for  tools  relying  on  a  multi-formalism  paradigm. 

2.  Unstructured  monolithic  models,  such  as  the  FTMP-model,  can  still  be  analyzed 
efficiently,  where  submodel-oriented  compositional  approaches  may  fail. 

As  shown  by  the  last  7  columns  of  Table  3.C,  our  new  algorithm  for  symbolic  reachability 
analysis  as  well  as  the  use  of  ZDDs  improves  the  situation  significantly.  As  with  all 
symbolic  representation  techniques,  memory  space  is  not  an  issue.  Even  though  we  store 
redundant  DDs  in  order  to  simplify  and  speed  up  the  activity-local  scheme,  the  FMS 
model,  which  was  the  largest  model  concerning  memory  requirement,  consumed  only  10.5 
MByte  for  symbolic  SG  generation  and  representation.  If  memory  were  at  a  premium, 
the  redundancy  could  easily  be  eliminated  without  a  dramatic  increase  in  run-time. 
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5  Summary  and  Future  Work 

The  work  presented  here  consists  of  the  following  three  main  components: 

1.  We  introduced  and  empirically  evaluated  ZDDs,  which  proved  to  be  an  excellent 
data  structure  for  symbolic  SG  generation  and  representation. 

2.  We  proposed  a  new  algorithm  for  symbolic  reachability  analysis,  organized  as  a 
sequential  quasi-dfs  scheme,  and  demonstrated  its  significant  run-time  savings. 

3.  We  presented  the  activity-local  SG  generation  scheme  for  generating  the  symbolic 
next-state  functions  by  explicit  SG  exploration. ' 

The  scheme  does  not  only  yield  compact  symbolic  representations,  but  also  has  the  advan¬ 
tage  that  the  SG  only  needs  to  be  explicitly  explored  partially.  Consequently  the  scheme 
leads  to  substantial  run-time  savings,  especially  in  cases  where  the  high-level  model  does 
not  have  a  compositional  structure  or  a  fully  symbolic  method  is  not  applicable.  Besides 
this,  ZDD-based  SG  representation,  as  well  as  the  new  scheme  for  symbolic  reachabil¬ 
ity  analysis  can  easily  be  integrated  into  existing  BDD-based  tools  such  as  PRISM  and 
CASPA,  in  order  to  improve  run-time  and  reduce  memory  space. 

Since  we  develop  our  implementations  in  the  context  of  Mobuis,  we  are  currently  work¬ 
ing  on  an  efficient  symbolic  realization  of  the  “Replicate”  feature  and  on  the  symbolic 
treatment  of  reward  variables.  Another  important  step  of  our  work  is  the  development 
of  efficient  numerical  analysis  algorithms.  Here  we  are  almost  finished  with  adapting  the 
approach  of  [Par02]  to  the  ZDD  data  structure,  where  the  first  results  are  very  promising. 
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